update README: reference REPO_POLICIES.md, add License/Author sections, document new Makefile targets

.dockerignore

@@ -1,6 +1,6 @@
-.git/
+.git
-bin/
+bin
-*.md
+data
-LICENSE
+.env
-.editorconfig
+.DS_Store
-.gitignore
+*.exe

.editorconfig

@@ -8,5 +8,8 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
+[*.go]
+indent_style = tab
+
 [Makefile]
 indent_style = tab

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 sneak
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean hooks docker
+.PHONY: all build lint fmt fmt-check test check clean docker hooks
 
 BINARY := dnswatcher
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -18,32 +18,25 @@ fmt:
 	goimports -w .
 
 fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "gofmt: files not formatted:" && gofmt -l . && exit 1)
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 
 test:
-	go test -v -race -timeout 30s -cover ./...
+	go test -v -race -cover -timeout 30s ./...
 
 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check:
+check: fmt-check lint test
-	@echo "==> Checking formatting..."
-	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
-	@echo "==> Running linter..."
-	golangci-lint run --config .golangci.yml ./...
-	@echo "==> Running tests..."
-	go test -v -race -timeout 30s ./...
 	@echo "==> Building..."
 	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/dnswatcher
 	@echo "==> All checks passed!"
 
-clean:
+docker:
-	rm -rf bin/
+	docker build .
 
 hooks:
-	@echo '#!/bin/sh' > .git/hooks/pre-commit
+	@printf '#!/bin/sh\nset -e\nmake check\n' > .git/hooks/pre-commit
-	@echo 'make check' >> .git/hooks/pre-commit
 	@chmod +x .git/hooks/pre-commit
 	@echo "Pre-commit hook installed."
 
-docker:
+clean:
-	docker build .
+	rm -rf bin/

README.md

@@ -1,10 +1,9 @@
 # dnswatcher
 
-dnswatcher is a pre-1.0 Go daemon by [@sneak](https://sneak.berlin) that monitors DNS records, TCP port availability, and TLS certificates, delivering real-time change notifications via Slack, Mattermost, and ntfy webhooks.
-
 > ⚠️ Pre-1.0 software. APIs, configuration, and behavior may change without notice.
 
-dnswatcher watches configured DNS domains and hostnames for changes, monitors TCP
+dnswatcher is a production DNS and infrastructure monitoring daemon written in
+Go.  It watches configured DNS domains and hostnames for changes, monitors TCP
 port availability, tracks TLS certificate expiry, and delivers real-time
 notifications via Slack, Mattermost, and/or ntfy webhooks.
 
@@ -110,8 +109,8 @@ includes:
 - **NS recoveries**: Which nameserver recovered, which hostname/domain.
 - **NS inconsistencies**: Which nameservers disagree, what each one
   returned, which hostname affected.
-- **Port changes**: Which IP:port, old state, new state, all associated
+- **Port changes**: Which IP:port, old state, new state, associated
-  hostnames.
+  hostname.
 - **TLS expiry warnings**: Which certificate, days remaining, CN,
   issuer, associated hostname and IP.
 - **TLS certificate changes**: Old and new CN/issuer/SANs, associated
@@ -290,12 +289,12 @@ not as a merged view, to enable inconsistency detection.
   "ports": {
     "93.184.216.34:80": {
       "open": true,
-      "hostnames": ["www.example.com"],
+      "hostname": "www.example.com",
       "lastChecked": "2026-02-19T12:00:00Z"
     },
     "93.184.216.34:443": {
       "open": true,
-      "hostnames": ["www.example.com"],
+      "hostname": "www.example.com",
       "lastChecked": "2026-02-19T12:00:00Z"
     }
   },
@@ -328,10 +327,13 @@ tracks reachability:
 
 ```sh
 make build      # Build binary to bin/dnswatcher
-make test       # Run tests with race detector
+make test       # Run tests with race detector and 30s timeout
 make lint       # Run golangci-lint
-make fmt        # Format code
+make fmt        # Format code (writes)
-make check      # Run all checks (format, lint, test, build)
+make fmt-check  # Read-only format check
+make check      # Run all checks (fmt-check, lint, test, build)
+make docker     # Build Docker image
+make hooks      # Install pre-commit hook
 make clean      # Remove build artifacts
 ```
 
@@ -367,15 +369,9 @@ docker run -d \
    triggering change notifications).
 2. **Initial check**: Immediately perform all DNS, port, and TLS checks
    on startup.
-3. **Periodic checks** (DNS always runs first):
+3. **Periodic checks**:
-   - DNS checks: every `DNSWATCHER_DNS_INTERVAL` (default 1h). Also
+   - DNS and port checks: every `DNSWATCHER_DNS_INTERVAL` (default 1h).
-     re-run before every TLS check cycle to ensure fresh IPs.
+   - TLS checks: every `DNSWATCHER_TLS_INTERVAL` (default 12h).
-   - Port checks: every `DNSWATCHER_DNS_INTERVAL`, after DNS completes.
-   - TLS checks: every `DNSWATCHER_TLS_INTERVAL` (default 12h), after
-     DNS completes.
-   - Port and TLS checks always use freshly resolved IP addresses from
-     the DNS phase that immediately precedes them — never stale IPs
-     from a previous cycle.
 4. **On change detection**: Send notifications to all configured
    endpoints, update in-memory state, persist to disk.
 5. **Shutdown**: Persist final state to disk, complete in-flight
@@ -401,8 +397,7 @@ Viper for configuration.
 
 ## License
 
-License has not yet been chosen for this project. Pending decision by the
+MIT — see [LICENSE](LICENSE).
-author (MIT, GPL, or WTFPL).
 
 ## Author
 

internal/config/config.go

@@ -15,12 +15,6 @@ import (
 	"sneak.berlin/go/dnswatcher/internal/logger"
 )
 
-// ErrNoTargets is returned when DNSWATCHER_TARGETS is empty or unset.
-var ErrNoTargets = errors.New(
-	"no targets configured: set DNSWATCHER_TARGETS to a comma-separated " +
-		"list of DNS names to monitor",
-)
-
 // Default configuration values.
 const (
 	defaultPort             = 8080
@@ -124,9 +118,25 @@ func buildConfig(
 		}
 	}
 
-	domains, hostnames, err := classifyAndValidateTargets()
+	dnsInterval, err := time.ParseDuration(
+		viper.GetString("DNS_INTERVAL"),
+	)
 	if err != nil {
-		return nil, err
+		dnsInterval = defaultDNSInterval
+	}
+
+	tlsInterval, err := time.ParseDuration(
+		viper.GetString("TLS_INTERVAL"),
+	)
+	if err != nil {
+		tlsInterval = defaultTLSInterval
+	}
+
+	domains, hostnames, err := ClassifyTargets(
+		parseCSV(viper.GetString("TARGETS")),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("invalid targets configuration: %w", err)
 	}
 
 	cfg := &Config{
@@ -138,8 +148,8 @@ func buildConfig(
 		SlackWebhook:      viper.GetString("SLACK_WEBHOOK"),
 		MattermostWebhook: viper.GetString("MATTERMOST_WEBHOOK"),
 		NtfyTopic:         viper.GetString("NTFY_TOPIC"),
-		DNSInterval:       parseDurationOrDefault("DNS_INTERVAL", defaultDNSInterval),
+		DNSInterval:       dnsInterval,
-		TLSInterval:       parseDurationOrDefault("TLS_INTERVAL", defaultTLSInterval),
+		TLSInterval:       tlsInterval,
 		TLSExpiryWarning:  viper.GetInt("TLS_EXPIRY_WARNING"),
 		SentryDSN:         viper.GetString("SENTRY_DSN"),
 		MaintenanceMode:   viper.GetBool("MAINTENANCE_MODE"),
@@ -152,32 +162,6 @@ func buildConfig(
 	return cfg, nil
 }
 
-func classifyAndValidateTargets() ([]string, []string, error) {
-	domains, hostnames, err := ClassifyTargets(
-		parseCSV(viper.GetString("TARGETS")),
-	)
-	if err != nil {
-		return nil, nil, fmt.Errorf(
-			"invalid targets configuration: %w", err,
-		)
-	}
-
-	if len(domains) == 0 && len(hostnames) == 0 {
-		return nil, nil, ErrNoTargets
-	}
-
-	return domains, hostnames, nil
-}
-
-func parseDurationOrDefault(key string, fallback time.Duration) time.Duration {
-	d, err := time.ParseDuration(viper.GetString(key))
-	if err != nil {
-		return fallback
-	}
-
-	return d
-}
-
 func parseCSV(input string) []string {
 	if input == "" {
 		return nil

internal/config/config_test.go

@@ -1,87 +0,0 @@
-package config_test
-
-import (
-	"errors"
-	"testing"
-
-	"go.uber.org/fx"
-
-	"sneak.berlin/go/dnswatcher/internal/config"
-	"sneak.berlin/go/dnswatcher/internal/globals"
-	"sneak.berlin/go/dnswatcher/internal/logger"
-)
-
-func TestNewReturnsErrNoTargetsWhenEmpty(t *testing.T) {
-	// Cannot use t.Parallel() because t.Setenv modifies the process
-	// environment.
-	t.Setenv("DNSWATCHER_TARGETS", "")
-	t.Setenv("DNSWATCHER_DATA_DIR", t.TempDir())
-
-	var cfg *config.Config
-
-	app := fx.New(
-		fx.Provide(
-			func() *globals.Globals {
-				return &globals.Globals{
-					Appname: "dnswatcher-test-empty",
-				}
-			},
-			logger.New,
-			config.New,
-		),
-		fx.Populate(&cfg),
-		fx.NopLogger,
-	)
-
-	err := app.Err()
-	if err == nil {
-		t.Fatal(
-			"expected error when DNSWATCHER_TARGETS is empty, got nil",
-		)
-	}
-
-	if !errors.Is(err, config.ErrNoTargets) {
-		t.Errorf("expected ErrNoTargets, got: %v", err)
-	}
-}
-
-func TestNewSucceedsWithTargets(t *testing.T) {
-	// Cannot use t.Parallel() because t.Setenv modifies the process
-	// environment.
-	t.Setenv("DNSWATCHER_TARGETS", "example.com")
-	t.Setenv("DNSWATCHER_DATA_DIR", t.TempDir())
-
-	// Prevent loading a local config file by changing to a temp dir.
-	t.Chdir(t.TempDir())
-
-	var cfg *config.Config
-
-	app := fx.New(
-		fx.Provide(
-			func() *globals.Globals {
-				return &globals.Globals{
-					Appname: "dnswatcher-test-ok",
-				}
-			},
-			logger.New,
-			config.New,
-		),
-		fx.Populate(&cfg),
-		fx.NopLogger,
-	)
-
-	err := app.Err()
-	if err != nil {
-		t.Fatalf(
-			"expected no error with valid targets, got: %v",
-			err,
-		)
-	}
-
-	if len(cfg.Domains) != 1 || cfg.Domains[0] != "example.com" {
-		t.Errorf(
-			"expected [example.com], got domains=%v",
-			cfg.Domains,
-		)
-	}
-}

internal/resolver/iterative.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math/rand"
 	"net"
 	"sort"
 	"strings"
@@ -41,6 +42,22 @@ func rootServerList() []string {
 	}
 }
 
+const maxRootServers = 3
+
+// randomRootServers returns a shuffled subset of root servers.
+func randomRootServers() []string {
+	all := rootServerList()
+	rand.Shuffle(len(all), func(i, j int) {
+		all[i], all[j] = all[j], all[i]
+	})
+
+	if len(all) > maxRootServers {
+		return all[:maxRootServers]
+	}
+
+	return all
+}
+
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -227,7 +244,7 @@ func (r *Resolver) followDelegation(
 
 		authNS := extractNSSet(resp.Ns)
 		if len(authNS) == 0 {
-			return r.resolveNSIterative(ctx, domain)
+			return r.resolveNSRecursive(ctx, domain)
 		}
 
 		glue := extractGlue(resp.Extra)
@@ -291,84 +308,60 @@ func (r *Resolver) resolveNSIPs(
 	return ips
 }
 
-// resolveNSIterative queries for NS records using iterative
+// resolveNSRecursive queries for NS records using recursive
-// resolution as a fallback when followDelegation finds no
+// resolution as a fallback for intercepted environments.
-// authoritative answer in the delegation chain.
+func (r *Resolver) resolveNSRecursive(
-func (r *Resolver) resolveNSIterative(
 	ctx context.Context,
 	domain string,
 ) ([]string, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
 	domain = dns.Fqdn(domain)
-	servers := rootServerList()
+	msg := new(dns.Msg)
+	msg.SetQuestion(domain, dns.TypeNS)
+	msg.RecursionDesired = true
 
-	for range maxDelegation {
+	for _, ip := range randomRootServers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
 
-		resp, err := r.queryServers(
+		addr := net.JoinHostPort(ip, "53")
-			ctx, servers, domain, dns.TypeNS,
+
-		)
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
 		if err != nil {
-			return nil, err
+			continue
 		}
 
 		nsNames := extractNSSet(resp.Answer)
 		if len(nsNames) > 0 {
 			return nsNames, nil
 		}
-
-		// Follow delegation.
-		authNS := extractNSSet(resp.Ns)
-		if len(authNS) == 0 {
-			break
-		}
-
-		glue := extractGlue(resp.Extra)
-		nextServers := glueIPs(authNS, glue)
-
-		if len(nextServers) == 0 {
-			break
-		}
-
-		servers = nextServers
 	}
 
 	return nil, ErrNoNameservers
 }
 
-// resolveARecord resolves a hostname to IPv4 addresses using
+// resolveARecord resolves a hostname to IPv4 addresses.
-// iterative resolution through the delegation chain.
 func (r *Resolver) resolveARecord(
 	ctx context.Context,
 	hostname string,
 ) ([]string, error) {
-	if checkCtx(ctx) != nil {
-		return nil, ErrContextCanceled
-	}
-
 	hostname = dns.Fqdn(hostname)
-	servers := rootServerList()
+	msg := new(dns.Msg)
+	msg.SetQuestion(hostname, dns.TypeA)
+	msg.RecursionDesired = true
 
-	for range maxDelegation {
+	for _, ip := range randomRootServers() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
 
-		resp, err := r.queryServers(
+		addr := net.JoinHostPort(ip, "53")
-			ctx, servers, hostname, dns.TypeA,
+
-		)
+		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
 		if err != nil {
-			return nil, fmt.Errorf(
+			continue
-				"resolving %s: %w", hostname, err,
-			)
 		}
 
-		// Check for A records in the answer section.
 		var ips []string
 
 		for _, rr := range resp.Answer {
@@ -380,24 +373,6 @@ func (r *Resolver) resolveARecord(
 		if len(ips) > 0 {
 			return ips, nil
 		}
-
-		// Follow delegation if present.
-		authNS := extractNSSet(resp.Ns)
-		if len(authNS) == 0 {
-			break
-		}
-
-		glue := extractGlue(resp.Extra)
-		nextServers := glueIPs(authNS, glue)
-
-		if len(nextServers) == 0 {
-			// Resolve NS IPs iteratively — but guard
-			// against infinite recursion by using only
-			// already-resolved servers.
-			break
-		}
-
-		servers = nextServers
 	}
 
 	return nil, fmt.Errorf(
@@ -427,7 +402,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
 		candidate := strings.Join(labels[i:], ".") + "."
 
 		nsNames, err := r.followDelegation(
-			ctx, candidate, rootServerList(),
+			ctx, candidate, randomRootServers(),
 		)
 		if err == nil && len(nsNames) > 0 {
 			sort.Strings(nsNames)

internal/state/state.go

@@ -57,47 +57,8 @@ type HostnameState struct {
 // PortState holds the monitoring state for a port.
 type PortState struct {
 	Open        bool      `json:"open"`
-	Hostnames   []string  `json:"hostnames"`
-	LastChecked time.Time `json:"lastChecked"`
-}
-
-// UnmarshalJSON implements custom unmarshaling to handle both
-// the old single-hostname format and the new multi-hostname
-// format for backward compatibility with existing state files.
-func (ps *PortState) UnmarshalJSON(data []byte) error {
-	// Use an alias to prevent infinite recursion.
-	type portStateAlias struct {
-		Open        bool      `json:"open"`
-		Hostnames   []string  `json:"hostnames"`
-		LastChecked time.Time `json:"lastChecked"`
-	}
-
-	var alias portStateAlias
-
-	err := json.Unmarshal(data, &alias)
-	if err != nil {
-		return fmt.Errorf("unmarshaling port state: %w", err)
-	}
-
-	ps.Open = alias.Open
-	ps.Hostnames = alias.Hostnames
-	ps.LastChecked = alias.LastChecked
-
-	// If Hostnames is empty, try reading the old single-hostname
-	// format for backward compatibility.
-	if len(ps.Hostnames) == 0 {
-		var old struct {
 	Hostname    string    `json:"hostname"`
-		}
+	LastChecked time.Time `json:"lastChecked"`
-
-		// Best-effort: ignore errors since the main unmarshal
-		// already succeeded.
-		if json.Unmarshal(data, &old) == nil && old.Hostname != "" {
-			ps.Hostnames = []string{old.Hostname}
-		}
-	}
-
-	return nil
 }
 
 // CertificateState holds TLS certificate monitoring state.
@@ -302,27 +263,6 @@ func (s *State) GetPortState(key string) (*PortState, bool) {
 	return ps, ok
 }
 
-// DeletePortState removes a port state entry.
-func (s *State) DeletePortState(key string) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	delete(s.snapshot.Ports, key)
-}
-
-// GetAllPortKeys returns all port state keys.
-func (s *State) GetAllPortKeys() []string {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	keys := make([]string, 0, len(s.snapshot.Ports))
-	for k := range s.snapshot.Ports {
-		keys = append(keys, k)
-	}
-
-	return keys
-}
-
 // SetCertificateState updates the state for a certificate.
 func (s *State) SetCertificateState(
 	key string,

internal/watcher/watcher.go

@@ -72,15 +72,13 @@ func New(
 	}
 
 	lifecycle.Append(fx.Hook{
-		OnStart: func(_ context.Context) error {
+		OnStart: func(startCtx context.Context) error {
-			// Use context.Background() — the fx startup context
+			ctx, cancel := context.WithCancel(
-			// expires after startup completes, so deriving from it
+				context.WithoutCancel(startCtx),
-			// would cancel the watcher immediately. The watcher's
+			)
-			// lifetime is controlled by w.cancel in OnStop.
-			ctx, cancel := context.WithCancel(context.Background())
 			w.cancel = cancel
 
-			go w.Run(ctx) //nolint:contextcheck // intentionally not derived from startCtx
+			go w.Run(ctx)
 
 			return nil
 		},
@@ -143,16 +141,9 @@ func (w *Watcher) Run(ctx context.Context) {
 
 			return
 		case <-dnsTicker.C:
-			w.runDNSChecks(ctx)
+			w.runDNSAndPortChecks(ctx)
-
-			w.checkAllPorts(ctx)
 			w.saveState()
 		case <-tlsTicker.C:
-			// Run DNS first so TLS checks use freshly
-			// resolved IP addresses, not stale ones from
-			// a previous cycle.
-			w.runDNSChecks(ctx)
-
 			w.runTLSChecks(ctx)
 			w.saveState()
 		}
@@ -160,26 +151,10 @@ func (w *Watcher) Run(ctx context.Context) {
 }
 
 // RunOnce performs a single complete monitoring cycle.
-// DNS checks run first so that port and TLS checks use
-// freshly resolved IP addresses. Port checks run before
-// TLS because TLS checks only target IPs with an open
-// port 443.
 func (w *Watcher) RunOnce(ctx context.Context) {
 	w.detectFirstRun()
-
+	w.runDNSAndPortChecks(ctx)
-	// Phase 1: DNS resolution must complete first so that
-	// subsequent checks use fresh IP addresses.
-	w.runDNSChecks(ctx)
-
-	// Phase 2: Port checks populate port state that TLS
-	// checks depend on (TLS only targets IPs where port
-	// 443 is open).
-	w.checkAllPorts(ctx)
-
-	// Phase 3: TLS checks use fresh DNS IPs and current
-	// port state.
 	w.runTLSChecks(ctx)
-
 	w.saveState()
 	w.firstRun = false
 }
@@ -196,11 +171,7 @@ func (w *Watcher) detectFirstRun() {
 	}
 }
 
-// runDNSChecks performs DNS resolution for all configured domains
+func (w *Watcher) runDNSAndPortChecks(ctx context.Context) {
-// and hostnames, updating state with freshly resolved records.
-// This must complete before port or TLS checks run so those
-// checks operate on current IP addresses.
-func (w *Watcher) runDNSChecks(ctx context.Context) {
 	for _, domain := range w.config.Domains {
 		w.checkDomain(ctx, domain)
 	}
@@ -208,6 +179,8 @@ func (w *Watcher) runDNSChecks(ctx context.Context) {
 	for _, hostname := range w.config.Hostnames {
 		w.checkHostname(ctx, hostname)
 	}
+
+	w.checkAllPorts(ctx)
 }
 
 func (w *Watcher) checkDomain(
@@ -475,94 +448,24 @@ func (w *Watcher) detectInconsistencies(
 }
 
 func (w *Watcher) checkAllPorts(ctx context.Context) {
-	// Phase 1: Build current IP:port → hostname associations
+	for _, hostname := range w.config.Hostnames {
-	// from fresh DNS data.
+		w.checkPortsForHostname(ctx, hostname)
-	associations := w.buildPortAssociations()
-
-	// Phase 2: Check each unique IP:port and update state
-	// with the full set of associated hostnames.
-	for key, hostnames := range associations {
-		ip, port := parsePortKey(key)
-		if port == 0 {
-			continue
 	}
 
-		w.checkSinglePort(ctx, ip, port, hostnames)
+	for _, domain := range w.config.Domains {
+		w.checkPortsForHostname(ctx, domain)
 	}
-
-	// Phase 3: Remove port state entries that no longer have
-	// any hostname referencing them.
-	w.cleanupStalePorts(associations)
 }
 
-// buildPortAssociations constructs a map from IP:port keys to
+func (w *Watcher) checkPortsForHostname(
-// the sorted set of hostnames currently resolving to that IP.
+	ctx context.Context,
-func (w *Watcher) buildPortAssociations() map[string][]string {
+	hostname string,
-	assoc := make(map[string]map[string]bool)
+) {
+	ips := w.collectIPs(hostname)
 
-	allNames := make(
-		[]string, 0,
-		len(w.config.Hostnames)+len(w.config.Domains),
-	)
-	allNames = append(allNames, w.config.Hostnames...)
-	allNames = append(allNames, w.config.Domains...)
-
-	for _, name := range allNames {
-		ips := w.collectIPs(name)
 	for _, ip := range ips {
 		for _, port := range monitoredPorts {
-				key := fmt.Sprintf("%s:%d", ip, port)
+			w.checkSinglePort(ctx, ip, port, hostname)
-				if assoc[key] == nil {
-					assoc[key] = make(map[string]bool)
-				}
-
-				assoc[key][name] = true
-			}
-		}
-	}
-
-	result := make(map[string][]string, len(assoc))
-	for key, set := range assoc {
-		hostnames := make([]string, 0, len(set))
-		for h := range set {
-			hostnames = append(hostnames, h)
-		}
-
-		sort.Strings(hostnames)
-
-		result[key] = hostnames
-	}
-
-	return result
-}
-
-// parsePortKey splits an "ip:port" key into its components.
-func parsePortKey(key string) (string, int) {
-	lastColon := strings.LastIndex(key, ":")
-	if lastColon < 0 {
-		return key, 0
-	}
-
-	ip := key[:lastColon]
-
-	var p int
-
-	_, err := fmt.Sscanf(key[lastColon+1:], "%d", &p)
-	if err != nil {
-		return ip, 0
-	}
-
-	return ip, p
-}
-
-// cleanupStalePorts removes port state entries that are no
-// longer referenced by any hostname in the current DNS data.
-func (w *Watcher) cleanupStalePorts(
-	currentAssociations map[string][]string,
-) {
-	for _, key := range w.state.GetAllPortKeys() {
-		if _, exists := currentAssociations[key]; !exists {
-			w.state.DeletePortState(key)
 		}
 	}
 }
@@ -599,7 +502,7 @@ func (w *Watcher) checkSinglePort(
 	ctx context.Context,
 	ip string,
 	port int,
-	hostnames []string,
+	hostname string,
 ) {
 	result, err := w.portCheck.CheckPort(ctx, ip, port)
 	if err != nil {
@@ -624,8 +527,8 @@ func (w *Watcher) checkSinglePort(
 		}
 
 		msg := fmt.Sprintf(
-			"Hosts: %s\nAddress: %s\nPort now %s",
+			"Host: %s\nAddress: %s\nPort now %s",
-			strings.Join(hostnames, ", "), key, stateStr,
+			hostname, key, stateStr,
 		)
 
 		w.notify.SendNotification(
@@ -638,7 +541,7 @@ func (w *Watcher) checkSinglePort(
 
 	w.state.SetPortState(key, &state.PortState{
 		Open:        result.Open,
-		Hostnames:   hostnames,
+		Hostname:    hostname,
 		LastChecked: now,
 	})
 }

internal/watcher/watcher_test.go

@@ -682,80 +682,6 @@ func TestGracefulShutdown(t *testing.T) {
 	}
 }
 
-func setupHostnameIP(
-	deps *testDeps,
-	hostname, ip string,
-) {
-	deps.resolver.allRecords[hostname] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {ip}},
-	}
-	deps.portChecker.results[ip+":80"] = true
-	deps.portChecker.results[ip+":443"] = true
-	deps.tlsChecker.certs[ip+":"+hostname] = &tlscheck.CertificateInfo{
-		CommonName:              hostname,
-		Issuer:                  "DigiCert",
-		NotAfter:                time.Now().Add(90 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{hostname},
-	}
-}
-
-func updateHostnameIP(deps *testDeps, hostname, ip string) {
-	deps.resolver.mu.Lock()
-	deps.resolver.allRecords[hostname] = map[string]map[string][]string{
-		"ns1.example.com.": {"A": {ip}},
-	}
-	deps.resolver.mu.Unlock()
-
-	deps.portChecker.mu.Lock()
-	deps.portChecker.results[ip+":80"] = true
-	deps.portChecker.results[ip+":443"] = true
-	deps.portChecker.mu.Unlock()
-
-	deps.tlsChecker.mu.Lock()
-	deps.tlsChecker.certs[ip+":"+hostname] = &tlscheck.CertificateInfo{
-		CommonName:              hostname,
-		Issuer:                  "DigiCert",
-		NotAfter:                time.Now().Add(90 * 24 * time.Hour),
-		SubjectAlternativeNames: []string{hostname},
-	}
-	deps.tlsChecker.mu.Unlock()
-}
-
-func TestDNSRunsBeforePortAndTLSChecks(t *testing.T) {
-	t.Parallel()
-
-	cfg := defaultTestConfig(t)
-	cfg.Hostnames = []string{"www.example.com"}
-
-	w, deps := newTestWatcher(t, cfg)
-
-	setupHostnameIP(deps, "www.example.com", "10.0.0.1")
-
-	ctx := t.Context()
-	w.RunOnce(ctx)
-
-	snap := deps.state.GetSnapshot()
-	if _, ok := snap.Ports["10.0.0.1:80"]; !ok {
-		t.Fatal("expected port state for 10.0.0.1:80")
-	}
-
-	// DNS changes to a new IP; port and TLS must pick it up.
-	updateHostnameIP(deps, "www.example.com", "10.0.0.2")
-
-	w.RunOnce(ctx)
-
-	snap = deps.state.GetSnapshot()
-
-	if _, ok := snap.Ports["10.0.0.2:80"]; !ok {
-		t.Error("port check used stale DNS: missing 10.0.0.2:80")
-	}
-
-	certKey := "10.0.0.2:443:www.example.com"
-	if _, ok := snap.Certificates[certKey]; !ok {
-		t.Error("TLS check used stale DNS: missing " + certKey)
-	}
-}
-
 func TestNSFailureAndRecovery(t *testing.T) {
 	t.Parallel()